Attachments can't be downloaded

[USS_Atlas]

Hi,

I've installed a SMF 2.1.2 recently and everything is working except...

I've activated attachments and I can upload files. However, I can't download them. Whenever I click on the attachment button, I'm getting a "Secure Connection Failed" error from my browser. Everything is hosted on the same server with a valid SSL certificate.

Any ideas how to solve this?

Unfortunately I'm not allowed to post external links so I can't include a link to my forum.

[Doug Heffernan]

I'm getting a "Secure Connection Failed" error from my browser.

This error is related to the security certificate not being valid, expired, or simply missing. Are you sure that you have set it up properly at your forum. Also, see this guide on the subject and double check that everything is set up properly at your forum.

https://www.simplemachines.org/community/index.php?topic=555034.0

[Steve]

I can't include a link to my forum.

After you do as Doug suggested, we'll go from there.

[USS_Atlas]

I've worked to the thread Doug posted.

- The SSL certificate is working fine on my website and the forum. The padlock in my browser always says
  "connection secure" when loading a page. The error "Secure Connection Failed" appears
  only when clicking on an attachment (which is saved on the same server).
- I've checked all links in the settings. They all start with "https://".
- I've used repair_settings.php to double check all links. All are starting with "https://".
- I've enabled the "Force SSL" and the "Image proxy" option in the server settings

I have a .htaccess in place with the following lines:

Code Select Expand

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Header set Strict-Transport-Security: "max-age=63072000; includeSubDomains; preload"
Header set Referrer-Policy: no-referrer
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Any ideas how to solve the problem?

[Doug Heffernan]

Can you remove first all the Header references from the .htaccess file and see if it will help? Personally I do not think that they are needed there.

Is this a fresh install? Did you get that immediately after the installation, or did you install a third party mod and/or did some other changes to the forum and then the error happened? If the later, try to undo the changes one at a time till you localise the culprit.

[USS_Atlas]

I'll play with the .htaccess tomorrow...

Regarding your questions:
- Yes, it is a fresh install
- No third party mods installed, just one theme (Fusion)
- I can't say if the error occured before or after I installed the Fusion theme
- I've just switched back to the SMF Standard theme (curve2) and the error still appears

[Doug Heffernan]

I'll play with the .htaccess tomorrow...

Let us know how it will go.

[USS_Atlas]

Well, I've just removed the header sections and the error still appears.

See for yourself: https://www.uss-atlas.de/forum/index.php/topic,16.0.html [nofollow]

[USS_Atlas]

There is some news:
Instead of Firefox, I've used Edge for testing purposes. With Edge I'm getting a slightly different response when trying to download the attachment:

ERR_HTTP2_PROTOCOL_ERROR

[Sir Osis of Liver]

Which SSL cert are you using?

[Doug Heffernan]

When I click the link to the attachments at your forum I get a Secure Connection Failed error message.

[Kindred]

are your attachment settings including the https as well?
Are your attachments stored in the same directory path/subdomain as the root of the forum?

[USS_Atlas]

@Sir Osis of Liver : My host is providing a SSL certificate for free from Starfield Technologies, Inc. "Let's encrypt" is not supported.

@Doug Heffernan : That's exactly the problem! Why are the website and the forum working correctly while the attachments (which are stored on the same server in a subdirectory) are not?

@Kindred : Which settings exactly do you mean?
The forum is stored in .../forum/
The attachments are stored in the subdirectory .../forum/attachments/

[Doug Heffernan]

@Doug Heffernan : That's exactly the problem! Why are the website and the forum working correctly while the attachments (which are stored on the same server in subdirectory) are not?

When you ran the repair_settings.php tool, did you check the Attachment Directory value? If not, run it again and make sure that the aforementioned directory points to the right path.

[USS_Atlas]

Yes, I did check the attachment directory value. It was correct and it is now.

[Doug Heffernan]

Is there any error logged in to the forum error log and/or server error log pertaining to this?

Can you make a screenshot of the Attachment Directories and Attachments Settings at the Admin Panel of your forum? And one of the Attchment Directory in the repair_settings.php file and post them here?

[USS_Atlas]

There are no errors reported in the forum error log. Server logs are disabled.

My forum language is German. I hope the screenshots help anyway...





Edit: I've removed the repair settings screenshot as it contains sensitive information and leaves your forum vulnerable. I've pm'ed it to @Doug Heffernan and will do so for anyone else who needs it in this topic. ~ Steve

Edit 2: My partner in crime Doug explained to me why it did not need to be removed. I wasn't sure so I figured 'better safe than sorry' as they say.

[USS_Atlas]

This is the server side FTP window:



The .htaccess within the .../forum/attachments directory contains

Code Select Expand

<Files *>
    Order Deny,Allow
    Deny from all
    Allow from localhost
</Files>

RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml


[Sir Osis of Liver]

640 in public permissions does not allow file read.  Try changing attachment permissions to 644.

[USS_Atlas]

Changing to 644 had no effect.

[Sir Osis of Liver]

I'm inclined to agree with Doug, seems to be a certificate issue.  There was a problem with Let's Encrypt certs a while back which only affected older browsers, but afaik it didn't involve any other certs.  Was this forum upgraded from 2.0 or is it an original 2.1 install?

[Sir Osis of Liver]

Hmm, your test attachments are also not displaying thumbs.  Here's something you can try. 

In Subs.php, change this

Code Select Expand


return $path . '/' . $attachment_id . '_' . $file_hash . '.dat';


To this -

Code Select Expand


return $path . '/' . $attachment_id . '_' . $file_hash;


Then remove the .dat extension from one of your test attachments.  Does it display a thumb and download?

[Doug Heffernan]

Edit: I've removed the repair settings screenshot as it contains sensitive information and leaves your forum vulnerable. I've pm'ed it to @Doug Heffernan and will do so for anyone else who needs it in this topic. ~ Steve

Showing only the attachment directory, as I asked, does not pose a security risk at all in this case. It poses a security risk only if the database details were shown and/or if the link to it was posted in the open as well.

I like the way that you are being cautious btw

[Doug Heffernan]

Was this forum upgraded from 2.0 or is it an original 2.1 install?

It is a fresh install as per the OP.

[Steve]

Thanks Doug. I did a second edit to that particular post.

[USS_Atlas]

Hmm, your test attachments are also not displaying thumbs.  Here's something you can try. 

In Subs.php, change this

Code Select Expand


    return $path . '/' . $attachment_id . '_' . $file_hash . '.dat';


To this -

Code Select Expand


    return $path . '/' . $attachment_id . '_' . $file_hash;


Then remove the .dat extension from one of your test attachments.  Does it display a thumb and download?

No thumbnail appeared. When clicking on the attachment, I now get a "File not found" error in my browser and the forum error log shows:

Code Select Expand

2: sha1_file(/[removed for data protection]/uss-atlas/forum/attachments/28_b643f9f24a63e3933f339e630e5635b92d5c8d52): failed to open stream: No such file or directory

I've also tried uploading a new attachment. It still won't work, giving me the "Secure Connection Failed" error.
So I've switched back to the original subs.php.

I don't think that the error is caused by a certificate issue because all the HTML pages are working perfectly. And also the forum is working perfectly - except for the attachments. Therefore in my opinion it must have something to do with the attachments themselves and especially the way they are saved.

Usually I'm using Firefox but when using Edge I get the error "ERR_HTTP2_PROTOCOL_ERROR".
I've learned that this error can have a million of reasons (as per https://stackoverflow.com/questions/58215104/whats-the-neterr-http2-protocol-error-about [nofollow]). But I came to believe that the server is sending back a malformed (chunked) HTTP response header or it has something to do with file compression. Any comments on that?

[Sir Osis of Liver]

Did you remove the .dat extension from one of the attachments after editing Subs.php?  If not, you'll get the 404. 

[USS_Atlas]

Yes, I renamed the file via FTP and removed the .dat extension. I got the 404 anyway.

[Sir Osis of Liver]

Download one of the attachments, change the extension from .dat to .jpg, see if you can open it in image editor.

[Sir Osis of Liver]

Yes, I renamed the file via FTP and removed the .dat extension. I got the 404 anyway.

That really shouldn't happen.  If the file exists and you've only removed '.dat' from filename, you shouldn't get a 404, unless one or the other edits was done incorrectly.

Which error do you get if you try to link directly to the file?

[USS_Atlas]

Downloading the .dat file, renaming it to .jpg and opening with an image viewer worked. Also for the thumbnail that was generated.

[USS_Atlas]

Yes, I renamed the file via FTP and removed the .dat extension. I got the 404 anyway.

That really shouldn't happen.  If the file exists and you've only removed '.dat' from filename, you shouldn't get a 404, unless one or the other edits was done incorrectly.

Which error do you get if you try to link directly to the file?

I just tried a second time.

1. I changed the line in subs.php from

Code Select Expand

return $path . '/' . $attachment_id . '_' . $file_hash . '.dat';to

Code Select Expand

return $path . '/' . $attachment_id . '_' . $file_hash;
2. I renamed the file via FTP from

Code Select Expand

33_dbbd9104080e6b6131f595443557dbaf48b12b5d.datto

Code Select Expand

33_dbbd9104080e6b6131f595443557dbaf48b12b5d
3. I clicked on the attachment button in the thread. Now I'm getting the "Secure Connection Failed" error.
When I'm trying to directly open the file via browser, I get an error message

Code Select Expand

Forbidden

You don't have permission to access this resource.
I tried direct access with permissions 640 (as generated by the forum) and after changing to 644. Both give the "Forbidden" error.

[USS_Atlas]

There is another side effect to this change. I've now got 51112 errors coming in pairs in the forum error log.

Code Select Expand

https://www.uss-atlas.de/forum/index.php?action=dlattach;attach=33
/[removed for data protection]/uss-atlas/forum/Sources/ShowAttachments.php (Zeile 395)
Backtrace-Information

Art des Fehlers: Generell
Fehlermeldung Auswählen
2: fread() expects parameter 1 to be resource, bool given


Code Select Expand

https://www.uss-atlas.de/forum/index.php?action=dlattach;attach=33
/[removed for data protection]/uss-atlas/forum/Sources/ShowAttachments.php (Zeile 393)
Backtrace-Information

Art des Fehlers: Generell
Fehlermeldung Auswählen
2: feof() expects parameter 1 to be resource, bool given


[Sir Osis of Liver]

The errors are caused by the Subs.php edit, that's not a fix, just a diagnostic.  On test forum I get 403 (forbidden) error when linking directly to file, that's what's supposed to happen.  The files are not damaged if you can open them in image editor.  Everything seems normal except you can't load attachments or thumbs from posts.  Can you switch to a different SSL certificate?

[USS_Atlas]

No, I can't. Let's encrypt is not supported by my host.

[USS_Atlas]

Gentlemen, it seems that I have found and solved the problem! I was correct about the HTTP header and probably also about file compression.

This post https://stackoverflow.com/a/58857699 [nofollow] contained the solution. In ShowAttachments.php I commented out the following section:

Code Select Expand

// Multipart and resuming support
    // if (isset($_SERVER['HTTP_RANGE']))
    // {
        // send_http_status(206);
        // header("content-length: $new_length");
        // header("content-range: bytes $range-$range_end/$file[size]");
    // }
    // else
        // header("content-length: " . $file['size']);

After doing so attachments worked as they should including thumbnail pictures.

Thank you for your support.

[Sir Osis of Liver]

That's interesting.  Saw that post on stackoverflow but didn't think it applied.  An http range request shouldn't cause this problem, and afaik it's the first time it's been reported in 2.1.  Maybe the devs should have a look.

[USS_Atlas]

It seems the file length given in the header is inconsistent with the real file length (probably due to compression). When accessing the file via https, the file length is checked against the header. The mismatch lead to the server aborting the file delivery and giving the ERR_HTTP2_PROTOCOL_ERROR.

I agree that the devs should have a look at this.

[Steve]

The attachment system is already being looked by the developers so I'm marking this solved.